Links and posts about Maine & US Politics, Science, Entertainment, or other topics as I see fit.

No guarantees you will give a damn...

Best Viewed with IE or Opera. Sorry, Firefox works, but loses some sidebar layout,
'my profile' and other stuff... Anybody with a fix, please leave a comment. Many thanks in advance.
That said, if you must use Firefox (and I don't blame you, it's become my browser of choice, too)
...get the "IE Tab" extension. This allows you to view problem pages with the IE rendering engine. Very cool!

Saturday, September 09, 2006

If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.

Security patches used to be rare. Software vendors were happy to pretend that vulnerabilities in their products were illusory -- and then quietly fix the problem in the next software release.

That changed with the full disclosure movement. Independent security researchers started going public with the holes they found, making vulnerabilities impossible for vendors to ignore. Then worms became more common; patching -- and patching quickly -- became the norm.

But even now, no software vendor likes to issue patches. Every patch is a public admission that the company made a mistake. Moreover, the process diverts engineering resources from new development. Patches annoy users by making them update their software, and piss them off even more if the update doesn't work properly.

Continued...to "Read More" click link belowCONTINUED:

For the vendor, there's an economic balancing act: how much more will your users be annoyed by unpatched software than they will be by the patch, and is that reduction in annoyance worth the cost of patching?

Since 2003, Microsoft's strategy to balance these costs and benefits has been to batch patches: instead of issuing them one at a time, it's been issuing them all together on the second Tuesday of each month. This decreases Microsoft's development costs and increases the reliability of its patches.

The user pays for this strategy by remaining open to known vulnerabilities for up to a month. On the other hand, users benefit from a predictable schedule: Microsoft can test all the patches that are going out at the same time, which means that patches are more reliable and users are able to install them faster with more confidence.

In the absence of regulation, software liability, or some other mechanism to make unpatched software costly for the vendor, "Patch Tuesday" is the best users are likely to get.

Why? Because it makes near-term financial sense to Microsoft. The company is not a public charity, and if the internet suffers, or if computers are compromised en masse, the economic impact on Microsoft is still minimal.

Microsoft is in the business of making money, and keeping users secure by patching its software is only incidental to that goal.

There's no better example of this of this principle in action than Microsoft's behavior around the vulnerability in its digital rights management software PlaysForSure.

Now, this isn't a "vulnerability" in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: "Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore."

But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this "vulnerability" is in the company's best interest; never mind the customer.

So Microsoft wasted no time; it issued a patch three days after learning about the hack. There's no month-long wait for copyright holders who rely on Microsoft's DRM.

This clearly demonstrates that economics is a much more powerful motivator than security.

It should surprise no one that the system didn't stay patched for long. FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files.

That was Saturday. Any guess on how long it will take Microsoft to patch Media Player once again? And then how long before the FairUse4WM people update their own software?

Certainly much less time than it will take Microsoft and the recording industry to realize they're playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.

If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire internet would benefit. But simple economics says it probably never will.

This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: Cornell.edu. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.